The maintenance work for kopia/restic backup repositories is run in jobs
Since velero started using kopia as the approach for filesystem-level backup/restore, we've noticed an issue when velero connects to the kopia backup repositories and performs maintenance, it sometimes consumes excessive memory that can cause the velero pod to get OOM Killed. To mitigate this issue, the maintenance work will be moved out of velero pod to a separate kubernetes job, and the user will be able to specify the resource request in "velero install".
Volume Policies are extended to support more actions to handle volumes
In an earlier release, a flexible volume policy was introduced to skip certain volumes from a backup. In v1.14 we've made enhancement to this policy to allow the user to set how the volumes should be backed up. The user will be able to set "fs-backup" or "snapshot" as value of “action" in the policy and velero will backup the volumes accordingly. This enhancement allows the user to achieve a fine-grained control like "opt-in/out" without having to update the target workload. For more details please refer to https://velero.io/docs/v1.14/resource-filtering/#supported-volumepolicy-actions
Node Selection for Data Movement Backup
In velero the data movement flow relies on datamover pods, and these pods may take substantial resources and keep running for a long time. In v1.14, the user will be able to create a configmap to define the eligible nodes on which the datamover pods are launched. For more details refer to https://velero.io/docs/v1.14/data-movement-backup-node-selection/
VolumeInfo metadata for restored volumes
In v1.13, we introduced volumeinfo metadata for backup to help velero CLI and downstream adopter understand how velero handles each volume during backup. In v1.14, similar metadata will be persisted for each restore. velero CLI is also updated to bring more info in the output of "velero restore describe".
"Finalizing" phase is introduced to restores
The "Finalizing" phase is added to the state transition flow to restore, which helps us fix several issues: The labels added to PVs will be restored after the data in the PV is restored via volumesnapshotter. The post restore hook will be executed after datamovement is finished.
Certificate-based authentication support for Azure
Besides the service principal with secret(password)-based authentication, Velero introduces the new support for service principal with certificate-based authentication in v1.14.0. This approach enables you to adopt a phishing resistant authentication by using conditional access policies, which better protects Azure resources and is the recommended way by Azure.
Runtime and dependencies
Golang runtime: v1.22.2
kopia: v0.17.0
Limitations/Known issues
For the external BackupItemAction plugins that take snapshots for PVs, such as vsphere plugin. If the plugin checks the value of the field "snapshotVolumes" in the backup spec as a criteria for snapshot, the settings in the volume policy will not take effect. For example, if the "snapshotVolumes" is set to False in the backup spec, but a volume meets the condition in the volume policy for "snapshot" action, because the plugin will not check the settings in the volume policy, the plugin will not take snapshot for the volume. For more details please refer to #7818
Breaking changes
CSI plugin has been merged into velero repo in v1.14 release. It will be installed by default as an internal plugin, and should not be installed via "–plugins " parameter in "velero install" command.
The default resource requests and limitations for node agent are removed in v1.14, to make the node agent pods have the QoS class of "BestEffort", more details please refer to #7391
There's a change in namespace filtering behavior during backup: In v1.14, when the includedNamespaces/excludedNamespaces fields are not set and the labelSelector/OrLabelSelectors are set in the backup spec, the backup will only include the namespaces which contain the resources that match the label selectors, while in previous releases all namespaces will be included in the backup with such settings. More details refer to #7105
Patching the PV in the "Finalizing" state may cause the restore to be in "PartiallyFailed" state when the PV is blocked in "Pending" state, while in the previous release the restore may end up being in "Complete" state. For more details refer to #7866
All Changes
Fix backup log to show error string, not index (#7805, @piny940)
Linux amd64 (checksum / 2694b91c3e501cff57caf650e639604a274645f61af2ea4d601677b746b44fe2)
Linux arm (checksum / 2b28fda1d8c6f087011bc7ec820051a13409dadce8385529f306476632e24e85)
Linux arm64 (checksum / adcf07b08484b52508e5cbc8b5f4b0b0db50342f7bc487ecd88b8948b680e6a7)
Linux i386 (checksum / 8e0bb5a08c7c227a8e285026b6283726ddc0e1f406e2af4d4d600fa1dd85c21e)
Linux ppc64le (checksum / 9d95528fb797f6429f7f9b6dee0cf87bf8c71f6470e1db4a51e844c169c285a3)
Linux s390x (checksum / 5b42bc3d08fd0ffaf4f9ed810f28464f52ec4ea431b809c7179071d76f3d6f16)
Linux riscv64 (checksum / 2998bae9971a55f862c21bff337c325cb6a44f28ef76e11bffc93d16989e11e6)
Windows amd64 (checksum / cbf40b79fa2a7dbd6e24201f8660b56261d10d6e7b5cadc3ff78100fb45b3c69)
This release was signed with 672C 657B E06B 4B30 969C 4A57 4614 49C2 5E36 B98E and can be found at @mattfarinakeybase account. Please use the attached signatures for verifying this release using gpg.
The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.
What's Next
3.15.3 will contain only bug fixes and be released on July 10, 2024.
3.16.0 is the next feature release and will be on September 11, 2024.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the security group with 12 updates:
1.8.0
1.8.1
1.13.2
1.14.0
0.30.1
0.30.2
0.30.1
0.30.2
0.30.1
0.30.2
0.30.1
0.30.2
0.30.1
0.30.2
0.30.1
0.30.2
2.120.1
2.130.0
3.15.1
3.15.2
0.30.1
0.30.2
0.30.1
0.30.2
Updates
github.com/spf13/cobra
from 1.8.0 to 1.8.1Release notes
Sourced from github.com/spf13/cobra's releases.
... (truncated)
Commits
e94f6d0
Address golangci-lint deprecation warnings, enable some more linters (#2152)8003b74
Remove fully inactivated linters (#2148)5c2c1d6
Consistent annotation names (#2140)5a1acea
build(deps): bump github.com/cpuguy83/go-md2man/v2 from 2.0.3 to 2.0.4 (#2127)0fc86c2
docs: update user guide (#2128)6b5f577
More linting (#2099)bd914e5
fix: remove deprecated io/ioutils package (#2120)1f80fa2
chore: remove repetitive words (#2122)c69ae4c
ci: test golang 1.22 (#2113)a30cee5
build(deps): bump actions/cache from 3 to 4 (#2102)Updates
github.com/vmware-tanzu/velero
from 1.13.2 to 1.14.0Release notes
Sourced from github.com/vmware-tanzu/velero's releases.
... (truncated)
Commits
2fc6300
Merge pull request #7860 from blackpiglet/update_e2e_for_1_14200f16e
Merge branch 'release-1.14' into update_e2e_for_1_140d36572
Merge pull request #7876 from reasonerjt/update-release-note-1.1408fea6e
Merge branch 'release-1.14' into update-release-note-1.14d20bd16
Skip parallel files upload and download test for Restic case.bf778c7
Merge pull request #7875 from reasonerjt/fix-restore-crash-1.14a650059
Update release note of 1.14f61c8b9
Add checks for csisnapshot for vol_info population2136679
Merge pull request #7852 from reasonerjt/fix-7849-1.14f6367ca
Use PVC to track the CSI snapshot in restoreUpdates
k8s.io/api
from 0.30.1 to 0.30.2Commits
118f81c
Update dependencies to v0.30.2 tagUpdates
k8s.io/apiextensions-apiserver
from 0.30.1 to 0.30.2Commits
2d2addc
Update dependencies to v0.30.2 tag803669d
Merge pull request #124676cici37/automated-cherry-pick-of-#124675
5e9c693
Adding the feature gates to fix cost for VAP and webhook matchConditions.Updates
k8s.io/apimachinery
from 0.30.1 to 0.30.2Commits
Updates
k8s.io/apiserver
from 0.30.1 to 0.30.2Commits
3b2ed79
Update dependencies to v0.30.2 tag7a3db50
Merge pull request #124676cici37/automated-cherry-pick-of-#124675
a30c80f
Merge pull request #124802seantywork/automated-cherry-pick-of-#124662
1ce5268
Updated & added visibility to apiserver x509 test certificates expiring this ...e025ab4
Adding the feature gates to fix cost for VAP and webhook matchConditions.Updates
k8s.io/cli-runtime
from 0.30.1 to 0.30.2Commits
a93d336
Update dependencies to v0.30.2 tagUpdates
k8s.io/client-go
from 0.30.1 to 0.30.2Commits
592d891
Update dependencies to v0.30.2 tagUpdates
k8s.io/klog/v2
from 2.120.1 to 2.130.0Release notes
Sourced from k8s.io/klog/v2's releases.
Commits
16c7d26
Merge pull request #401 from pohly/ktesting-warning-delaycd24012
ktesting: tone down warning about leaked test goroutine2ee202a
Merge pull request #404 from 1978629634/fsync-freelock79575d8
Do not acquire lock for file.Sync() fsync call7af45d6
Merge pull request #406 from pohly/linterd008cfe
examples: fix linter warningab53041
Merge pull request #402 from pohly/linter-issuesff7c070
build: fix some linter warnings569bb3c
Merge pull request #399 from jsoref/spelling-corporation200f43e
chore(*): fix spelling of Intel CorporationUpdates
helm.sh/helm/v3
from 3.15.1 to 3.15.2Release notes
Sourced from helm.sh/helm/v3's releases.
Commits
1a500d5
fix: wrong cli description70b225c
fix typo in load_plugins.gob3640f1
fix docs of DeployedAll46e2ba0
Bump github.com/docker/dockerfb311d3
bump oras minor version23552a7
feat(load.go): add warning on requirements.lockUpdates
k8s.io/kubelet
from 0.30.1 to 0.30.2Commits
27f7e47
Update dependencies to v0.30.2 tagUpdates
k8s.io/metrics
from 0.30.1 to 0.30.2Commits
c87f47a
Update dependencies to v0.30.2 tagDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show